{ "id": "6e782eab-7b57-4750-9246-08e205e7f0bb", "created_at": "2026-04-06T00:11:08.378088Z", "updated_at": "2026-04-10T13:12:37.495823Z", "deleted_at": null, "sha1_hash": "82d6d742cbb69587d02d94aacc3f5b78de37aad7", "title": "Taking Action Against Hackers in Palestine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1038135, "plain_text": "Taking Action Against Hackers in Palestine\r\nPublished: 2021-04-21 · Archived: 2026-04-05 19:44:16 UTC\r\nToday, we’re sharing actions we took against two separate groups of hackers in Palestine — a network linked to\r\nthe Preventive Security Service (PSS) and a threat actor known as Arid Viper — removing their ability to use their\r\ninfrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet. To the best\r\nof our knowledge, this is the first public reporting of this PSS activity.\r\nFacebook threat intelligence analysts and security experts work to find and stop a wide range of threats including\r\ncyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other\r\ngroups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying\r\npeople if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve\r\nthe security of our products.\r\nToday we’re sharing our latest research into two clusters of unconnected cyber espionage activity. One of them\r\ntargeted primarily domestic audiences in Palestine. The other cluster targeted audiences in the Palestinian\r\nterritories and Syria and to a lesser extent Turkey, Iraq, Lebanon and Libya.\r\nTo disrupt both these operations, we took down their accounts, released malware hashes, blocked domains\r\nassociated with their activity and alerted people who we believe were targeted by these groups to help them secure\r\ntheir accounts. We shared information with our industry partners including the anti-virus community so they too\r\ncan detect and stop this activity, strengthening our collective response against these groups across the internet. We\r\nencourage people to remain vigilant and take steps to protect their accounts, avoid clicking on suspicious links and\r\ndownloading software from untrusted sources that can compromise their devices and information stored on them.\r\nThe groups behind these operations are persistent adversaries, and we know they will evolve their tactics in\r\nresponse to our enforcement. However, we keep improving our detection systems and collaborating with other\r\nteams in the security community to continue making it harder for these threat actors to remain undetected. We’ll\r\nkeep sharing our findings when possible so people are aware of the threats we’re seeing and can take steps to\r\nstrengthen the security of their accounts.\r\nHere’s What We Found\r\nPSS-Linked Group\r\nThis activity originated in the West Bank and focused on the Palestinian territories and Syria, and to a lesser extent\r\nTurkey, Iraq, Lebanon and Libya. It relied on social engineering to trick people into clicking on malicious links\r\nand installing malware on their devices. Our investigation found links to the Preventive Security Service — the\r\nPalestinian Authority’s internal intelligence organization.\r\nThis persistent threat actor focused on a wide range of targets, including journalists, people opposing the Fatah-led\r\ngovernment, human rights activists and military groups including the Syrian opposition and Iraqi military. They\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 1 of 7\n\nused their own low-sophistication malware disguised as secure chat applications, in addition to malware tools\r\nopenly available on the internet.\r\nOur investigation analyzed a number of notable tactics, techniques and procedures (TTPs):\r\nAndroid malware: This group’s custom-built Android malware had relatively simple functionality and\r\nrequired a limited set of device-level permissions, which likely helped it to stay under the radar for most\r\nanti-virus detection systems. This malware masqueraded as secure chat applications. Once installed, it\r\ncollected information such as device metadata (e.g. manufacturer, OS version, IMEI), call logs, location,\r\ncontacts and text messages. In rare cases, it also contained keylogger functionality — an ability to record\r\nevery keystroke made on a device. Once collected, the malware would upload the data to Firebase, a\r\nmobile app development platform. In addition to their custom-made malware, this group also utilized\r\npublicly available Android malware called SpyNote which had more functionality including remote device\r\naccess and the ability to monitor calls.\r\nWindows malware: This group occasionally deployed publicly available malware for Windows, including\r\nNJRat and HWorm, commonly used in the region. They also bundled Windows malware in the installer\r\npackage for their own decoy application for journalists to submit human rights-related articles for\r\npublication. This app had no legitimate functionality.\r\nSocial engineering: This group used fake and compromised accounts to create fictitious personas posing\r\nprimarily as young women, and also as supporters of Hamas, Fatah, various military groups, journalists\r\nand activists to build trust with people they targeted and trick them into installing malicious software.\r\nSome of their Pages were designed to lure particular followers for later social engineering and malware\r\ntargeting. Likely to build audiences, these Pages posted memes criticizing Russian foreign policy in the\r\nMiddle East, Russian military contractor Wagner Group and its involvement in Syria and Libya and the\r\nAssad government.\r\nThreat Indicators:\r\nAndroid C2 Domains\r\nnews-fbcb4.firebaseio[.]com\r\nnews-fbcb4.appspot[.]com\r\nchaty-98547.firebaseio[.]com\r\nchaty-98547.appspot[.]com\r\njamila-c8420.firebaseio[.]com\r\njamila-c8420.appspot[.]com\r\nshowra-22501.firebaseio[.]com\r\nshowra-22501.appspot[.]com\r\ngoodwork-25869.firebaseio[.]com\r\ngoodwork-25869.appspot[.]com\r\nadvance-chat-app.firebaseio[.]com\r\nadvance-chat-app.appspot[.]com\r\nfiltersapp-715ee.firebaseio[.]com\r\nfiltersapp-715ee.appspot[.]com\r\nhumanrights-1398b.firebaseio[.]com\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 2 of 7\n\nhumanrights-1398b.appspot[.]com\r\njamilabouhaird-c0935.firebaseio[.]com\r\njamilabouhaird-c0935.appspot[.]com\r\nhotchat-f0c0e.appspot[.]com\r\nhotnewchat.appspot[.]com\r\nAndroid Hashes\r\n aeb0c38219e714ab881d0065b9fc1915ba84ad5b86916a82814d056f1dfaf66d\r\n3c21c0f64ef7b606abb73b9574d0d66895e180e6d1cf2ad21addd5ade79b69fb\r\nd2787aff6e827809b836e62b06cca68bec92b3e2144f132a0015ce397cf3cac2\r\n2580f7afb4746b223b14aceab76bd8bc2e4366bfa55ebf203de2715176032525\r\nf7ea82e4c329bf8e29e9da37fcaf35201dd79c2fc55cc0feb88aedf0b2d26ec2\r\n0540051935145fb1e3f9361ec55b62a759ce6796c1f355249805d186046328dc\r\n03de278ec4c4855b885520a377f8b1df462a1d8a4b57b492b3b052aafe509793\r\nfe77e052dc1a8ebea389bc0d017191e0f41d8e47d034c30df95e3d0dc33cfe10\r\n6356d55c79a82829c949a46c762f9bb4ca53da01a304b13b362a8a9cab20d4d2\r\n9a53506c429fa4ff9113b2cbd37d96c708b4ebb8f3424c1b7f6b05ef678f2230\r\nbf61c078157dd7523cb580672273190de5de3d41577f5d66c5afcdfeade09213\r\n154cb010e8ac4c50a47f4b218c133b5c7d059f5aff4c2820486e0ae511966e89\r\n44ccafb69e61139d9107a87f58133c43b8586931faf620c38c1824057d66d614\r\nSpyNote C2\r\nlion20810397.ddns[.]net\r\nWindows Malware C2 Domains\r\ncamera.dvrcam[.]info\r\nfacebooks.ddns[.]me\r\ngoogle.loginto[.]me\r\nWindows Malware Hashes\r\n05320c7348c156f0a98907d2b1527ff080eae36437d58735f2822d9f42f5d273\r\nLinks to Android Malware\r\napp-chat1.atwebpages[.]com\r\napp-showchat.atwebpages[.]com\r\nshowra-chat.atwebpages[.]com\r\nArid Viper\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 3 of 7\n\nThis activity originated in Palestine and targeted individuals in the same region, including government officials,\r\nmembers of the Fatah political party, student groups and security forces. Our investigation linked this campaign to\r\nArid Viper, a known advanced persistent threat actor. It used sprawling infrastructure to support its operations,\r\nincluding over a hundred websites that either hosted iOS and Android malware, attempted to steal credentials\r\nthrough phishing or acted as command and control servers.\r\nThey appear to operate across multiple internet services, using a combination of social engineering, phishing\r\nwebsites and continually evolving Windows and Android malware in targeted cyber espionage campaigns.\r\nWe shared threat indicators with industry peers and security researchers as part of a concerted effort to disrupt this\r\ngroup’s operations. We’re also sharing a detailed technical report with our findings, including threat indicators to\r\nhelp advance our industry’s understanding of this adversary (below).\r\nHere are our key findings and some of the notable tactics, techniques and procedures (TTPs) we’ve observed:\r\nCustom iOS Surveillanceware:\r\nArid Viper used custom-built iOS surveillanceware which hasn’t been previously reported and reflects a\r\ntactical shift. We call this iOS component Phenakite due to it being rare and deriving its name from the\r\nGreek word Phenakos, meaning to deceive or cheat.\r\nInstallation of Phenakite required that people be tricked into installing a mobile configuration profile. This\r\nallowed for a device-specific signed version of the iOS app to be installed on a device. A jailbroken device\r\nwasn’t required.\r\nPost-installation, a jailbreak was necessary for the malware to elevate its privileges to retrieve sensitive\r\nuser information not accessible via standard iOS permission requests. This was achieved with the publicly\r\navailable Osiris jailbreak that made use of the Sock Port exploit, both of which were bundled in the\r\nmalicious iOS app store packages (IPAs).\r\nArid Viper’s iOS surveillanceware was trojanized inside a fully functional chat application that used the\r\nopen-source RealtimeChat code for legitimate app functionality. This malware could also direct people to\r\nphishing pages for Facebook and iCloud to steal their credentials for those services.\r\nArid Viper’s use of custom iOS surveillanceware shows that this capability is becoming increasingly\r\nattainable by adversaries believed to be of lower sophistication.\r\nEvolving Android and Windows Malware\r\nThe Android tooling used by Arid Viper shares many similarities with malware previously reported as\r\nFrozenCell and VAMP.\r\nThe Android malware deployed by Arid Viper required people to install apps from third-party sources on\r\ntheir devices. The group used various convincing, attacker-controlled sites to create the impression that the\r\napps were legitimate.\r\nArid Viper’s recent operations also used variants of a malware family known as Micropsia, which\r\npreviously has been associated with this threat actor.\r\nMalware Distribution\r\nDelivery of both the Android and iOS malware involved social engineering.\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 4 of 7\n\nAndroid malware was typically hosted on convincing looking attacker-controlled phishing sites. At the\r\ntime of this writing, we discovered 41 such sites.\r\niOS malware was previously found to be distributed from a 3rd party Chinese app development site. After\r\nwe shared our findings with industry partners which led to the revocation of multiple developer certificates,\r\nArid Viper’s ability to distribute Phenakite was disrupted. We’ve since seen them try setting up their own\r\ninfrastructure to distribute their iOS implant.\r\nWhile Arid Viper tooling has previously been discovered in official app channels like the Play Store, we\r\ndidn’t find it to be the case in this most recent campaign.\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 5 of 7\n\nCompromise Flow:\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 6 of 7\n\nSee the full Threat Report on Arid Viper for more information and IOCs.\r\nSource: https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nhttps://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/" ], "report_names": [ "taking-action-against-hackers-in-palestine" ], "threat_actors": [ { "id": "9ff60d4d-153b-4ed5-a2f7-18a21d2fa05d", "created_at": "2022-10-25T16:07:23.539852Z", "updated_at": "2026-04-10T02:00:04.647734Z", "deleted_at": null, "main_name": "Desert Falcons", "aliases": [ "APT-C-23", "ATK 66", "Arid Viper", "Niobium", "Operation Arid Viper", "Operation Bearded Barbie", "Operation Rebound", "Pinstripe Lightning", "Renegade Jackal", "TAG-63", "TAG-CT1", "Two-tailed Scorpion" ], "source_name": "ETDA:Desert Falcons", "tools": [ "AridSpy", "Barb(ie) Downloader", "BarbWire", "Desert Scorpion", "FrozenCell", "GlanceLove", "GnatSpy", "KasperAgent", "Micropsia", "PyMICROPSIA", "SpyC23", "Viper RAT", "ViperRAT", "VolatileVenom", "WinkChat", "android.micropsia" ], "source_id": "ETDA", "reports": null }, { "id": "b1979c55-037a-415f-b0a3-cab7933f5cd4", "created_at": "2024-04-24T02:00:49.561432Z", "updated_at": "2026-04-10T02:00:05.416794Z", "deleted_at": null, "main_name": "APT-C-23", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion" ], "source_name": "MITRE:APT-C-23", "tools": [ "Micropsia" ], "source_id": "MITRE", "reports": null }, { "id": "929d794b-0e1d-4d10-93a6-29408a527cc2", "created_at": "2023-01-06T13:46:38.70844Z", "updated_at": "2026-04-10T02:00:03.075002Z", "deleted_at": null, "main_name": "AridViper", "aliases": [ "Desert Falcon", "Arid Viper", "APT-C-23", "Bearded Barbie", "Two-tailed Scorpion" ], "source_name": "MISPGALAXY:AridViper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "35b3e533-7483-4f07-894e-2bb3ac855207", "created_at": "2025-08-07T02:03:24.540035Z", "updated_at": "2026-04-10T02:00:03.69627Z", "deleted_at": null, "main_name": "ALUMINUM SHADYSIDE", "aliases": [ "APT-C-23 ", "Arid Viper ", "Desert Falcon " ], "source_name": "Secureworks:ALUMINUM SHADYSIDE", "tools": [ "Micropsia", "SpyC23" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82d6d742cbb69587d02d94aacc3f5b78de37aad7.pdf", "text": "https://archive.orkl.eu/82d6d742cbb69587d02d94aacc3f5b78de37aad7.txt", "img": "https://archive.orkl.eu/82d6d742cbb69587d02d94aacc3f5b78de37aad7.jpg" } }